Chosen solution

So in another request: Firefox local development "CORS request not http", I found the suggestion to toggle the value of the about:config setting privacy.file_unique_origin. Doing so resolved my page load issue, but at the same time feels like it could leave my browser far less safe.

Could you check for messages in Firefox's Web Console? You can open the Web Console in the lower part of the tab using either:

"3-bar" menu button > Web Developer > Web Console

(menu bar) Tools > Web Developer > Web Console

(Windows) Ctrl+Shift+k

Then reload the page in the upper part of the tab and watch for error or security messages. Anything that sounds like it could be relevant? You can expand the list by using the row of headings starting with Errors Warning Logs in case there are messages in other categories.

Hi Kurt, the site "eats" certain tags, but I see you have:
&lt;?xml version="1.0" encoding="ISO-8859-1"?>
&lt;?xml-stylesheet type="text/xsl" href="ASTest_Appl_Events.xsl"?>
Are these being served on http/https, or opened from disk (file URL)? If you right-click the page and choose View Page Info, does it have an XML content-type such as application/xml or text/xml?
On the style sheet, I notice it uses an unusual namespace, although that might not matter:
&lt;?xml version="1.0" encoding="ISO-8859-1"?>
&lt;xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3''.''org/1999/XSL/Transform" '''xmlns:MSEvent'''="http://schemas.microsoft''.''com/win/2004/08/events/event">
Could you check for messages in Firefox's Web Console? You can open the Web Console in the lower part of the tab using either:
* "3-bar" menu button > Web Developer > Web Console
* (menu bar) Tools > Web Developer > Web Console
* (Windows) Ctrl+Shift+k
Then reload the page in the upper part of the tab and watch for error or security messages. Anything that sounds like it could be relevant? You can expand the list by using the row of headings starting with Errors Warning Logs in case there are messages in other categories.

Question owner

My files are being opened from the command line as a file URL:
start "" "C:\Program Files\Mozilla Firefox\firefox.exe" c:\Workspace\ASTest_Appl_Events.xml

Thanks for the information on the Web Console. I see from it that it's not reading my XLS file due to the Same Origin Policy, apparently because the request is not http. I'll have to see if there is a way to override that policy for specific locations on my network.

My files are being opened from the command line as a file URL:
start "" "C:\Program Files\Mozilla Firefox\firefox.exe" c:\Workspace\ASTest_Appl_Events.xml
Thanks for the information on the Web Console. I see from it that it's not reading my XLS file due to the Same Origin Policy, apparently because the request is not http. I'll have to see if there is a way to override that policy for specific locations on my network.

Chosen Solution

So in another request: Firefox local development "CORS request not http", I found the suggestion to toggle the value of the about:config setting privacy.file_unique_origin. Doing so resolved my page load issue, but at the same time feels like it could leave my browser far less safe.

So in another request: Firefox local development "CORS request not http", I found the suggestion to toggle the value of the about:config setting privacy.file_unique_origin. Doing so resolved my page load issue, but at the same time feels like it could leave my browser far less safe.

So in another request: Firefox local development "CORS request not http", I found the suggestion to toggle the value of the about:config setting privacy.file_unique_origin. Doing so resolved my page load issue, but at the same time feels like it could leave my browser far less safe.

You beat me to it.

As for the safety of it, it is a theoretical basis for an attack. The problem could arise when you open an untrusted page in a folder with sensitive files. If you save pages from untrusted sites in a separate folder, e.g., Downloads\Untrusted, then it would be difficult for an attacker to find any valuable content using local file links.

''Kurt H [[#answer-1236496|said]]''
<blockquote>
So in another request: Firefox local development "CORS request not http", I found the suggestion to toggle the value of the about:config setting privacy.file_unique_origin. Doing so resolved my page load issue, but at the same time feels like it could leave my browser far less safe.
</blockquote>
You beat me to it.
As for the safety of it, it is a theoretical basis for an attack. The problem could arise when you open an untrusted page in a folder with sensitive files. If you save pages from untrusted sites in a separate folder, e.g., Downloads\Untrusted, then it would be difficult for an attacker to find any valuable content using local file links.

I create xml files in a ..\reports directory They reference a stylesheet e.g.: '.\SurveyRespondentList.xsl'

The most recent Firefox Quantum 68.0 (64-bit) appears to be 'broken'
Previous versions have worked over the years
The newest version apparently broke something.
My reports also work on Internet Explorer 11
My applications are open to all and I have been using this approach to create and display database query reports for years.

I create xml files in a ..\reports directory They reference a stylesheet e.g.: '.\SurveyRespondentList.xsl'
The most recent Firefox Quantum 68.0 (64-bit) appears to be 'broken'
Previous versions have worked over the years
The newest version apparently broke something.
My reports also work on Internet Explorer 11
My applications are open to all and I have been using this approach to create and display database query reports for years.

Yes, there was a security patch which restricts local file loads by local pages. As noted in the solution at the top, you can roll back that patch:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste uniq and pause while the list is filtered

(3) Double-click the privacy.file_unique_origin preference to switch the value from true to false

''anderci [[#answer-1236829|said]]''
<blockquote>
The newest version apparently broke something.
</blockquote>
Yes, there was a security patch which restricts local file loads by local pages. As noted in the solution at the top, you can roll back that patch:
(1) In a new tab, type or paste '''about:config''' in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.
(2) In the search box above the list, type or paste '''uniq''' and pause while the list is filtered
(3) Double-click the '''privacy.file_unique_origin''' preference to switch the value from true to false

How does this help any/all users trying to view __.xml report files?
If they are using Firefox, they would be using the default version.

This change I mentioned is for file:// URLs. It shouldn't affect opening XML files from a server on a http:// or https:// URL.

''anderci [[#answer-1236857|said]]''
<blockquote>
How does this help any/all users trying to view __.xml report files?
If they are using Firefox, they would be using the default version.
</blockquote>
This change I mentioned is for file:// URLs. It shouldn't affect opening XML files from a server on a http:// or https:// URL.

Thank you for responding.
ALL of the report files are file:// URLs created for the user on their local PC by the programs I created for their use on their local PC.
This approach has worked very well for years.

Thank you for responding.
ALL of the report files are file:// URLs created for the user on their local PC by the programs I created for their use on their local PC.
This approach has worked very well for years.

> 1) Is the simple functionality I have used for years gone forever? Or will some eventual future patch restore it?

The developers are aware that this patch created problems with HTML-based help documentation, but they weren't able to come up with a way to distinguish legitimate local links from potential attack links. In the future, they might come up with something to allow help documentation to work again and hopefully you would be able to benefit from that, but it's not likely to happen soon.

> 2) Can this patch rollback be handled by some type of script?

It's not very convenient to try to script changes to Firefox settings files because they are stored in profile folders with a randomized name. Also, I wouldn't recommend rolling back security patches applied to your customers' systems without their knowledge and consent. That might make you liable for a potential data breach.

Hi anderci:
> 1) Is the simple functionality I have used for years gone forever? Or will some eventual future patch restore it?
The developers are aware that this patch created problems with HTML-based help documentation, but they weren't able to come up with a way to distinguish legitimate local links from potential attack links. In the future, they might come up with something to allow help documentation to work again and hopefully you would be able to benefit from that, but it's not likely to happen soon.
> 2) Can this patch rollback be handled by some type of script?
It's not very convenient to try to script changes to Firefox settings files because they are stored in profile folders with a randomized name. Also, I wouldn't recommend rolling back security patches applied to your customers' systems without their knowledge and consent. That might make you liable for a potential data breach.

You can install another Firefox ( Firefox ESR)as dual-installation to solve this issue. Means you have two Firefoxes on one OS: Firefox 68(or later) and Firefox 60 ESR. It might not be a complete solution(this is an important point in the context of your manner) but it works. For instance, to open an XML file including an XSL file uses Firefox 60 ESR, to Internet browsing uses Firefox 68 or later. Don't use Firefox 68 ESR(or later) as this way because it works the same to Firefox 68 in terms of the CORS.(see MDN web docs 'Reason: CORS request not HTTP' > Local File Security in Firefox 68 ). Now your latest Firefox keeps CORS security while your Firefox ESR is downgraded at the old version of CORS.

This solution aims to debug the XML/XSL that placed on local with Firefox. (file:///folder.../xxx.xml)

To install Firefox ESR as the addition, choosing custom install is a must to pre-create a 'Mozilla Firefox ESR' folder that Firefox ESR will be installed. If you are using Windows, open 'Run' and enter-in 'firefox -p' then press Enter, You can create a new profile to use with the Firefox ESR. It might better that choose another folder that is different from Firefox Quantum already installed. As a preparation, open Firefox already installed, go help > Troubleshooting Information.

Hi there,
You can install another Firefox ( Firefox ESR)as dual-installation to solve this issue. Means you have two Firefoxes on one OS: Firefox 68(or later) and Firefox 60 ESR. '''It might not be a complete solution'''(this is an important point in the context of your manner) but it works. For instance, to open an XML file including an XSL file uses Firefox 60 ESR, to Internet browsing uses Firefox 68 or later. Don't use Firefox 68 ESR(or later) as this way because it works the same to Firefox 68 in terms of the CORS.(see MDN web docs 'Reason: CORS request not HTTP' > Local File Security in Firefox 68 ). Now your latest Firefox keeps CORS security while your Firefox ESR is downgraded at the old version of CORS.
This solution aims to debug the XML/XSL that placed on local with Firefox. (file:///folder.../xxx.xml)
To install Firefox ESR as the addition, choosing custom install is a must to pre-create a 'Mozilla Firefox ESR' folder that Firefox ESR will be installed. If you are using Windows, open 'Run' and enter-in 'firefox -p' then press Enter, You can create a new profile to use with the Firefox ESR. It might better that choose another folder that is different from Firefox Quantum already installed. As a preparation, open Firefox already installed, go help > Troubleshooting Information.
firefox esr 60: https://www.mozilla.org/en-US/firefox/organizations/

This change seems to be causing problems in various places. Can I temporarily change the value of privacy.file_unique_origin by command line option? Chrome has options like --allow-file-access-from-files.

This change seems to be causing problems in various places. Can I temporarily change the value of privacy.file_unique_origin by command line option? Chrome has options like --allow-file-access-from-files.
https://stackoverflow.com/questions/56999411/firefox-68-local-files-now-treated-as-cross-origin-is-there-a-way-to-override

Thank you for answering.
As I faced this problem in my project too, I solved it by changing to a test using google Chrome recently.
I would be glad if you could support future command line options like Chrome's --allow-file-access-from-files.

Thank you for answering.
As I faced this problem in my project too, I solved it by changing to a test using google Chrome recently.
I would be glad if you could support future command line options like Chrome's --allow-file-access-from-files.

Another approach is to modify the .xml file to imbed the XSLT code.
I believe this works with Firefox 68 and Firefox 64 and Chrome 75 but not with IE 11.
Very unfortunately I know of no clear trend among web browsers to reject the 'reports' with .xml and .xsl paired files and to accept .xml files with the embedded xslt style code. Also, I have not learned the clean way of doing this embedded style code .

Another approach is to modify the .xml file to imbed the XSLT code.
I believe this works with Firefox 68 and Firefox 64 and Chrome 75 but not with IE 11.
Very unfortunately I know of no clear trend among web browsers to reject the 'reports' with .xml and .xsl paired files and to accept .xml files with the embedded xslt style code. Also, I have not learned the clean way of doing this embedded style code .